Linux Kernel HTB Scheduler NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's Hierarchical Token Bucket (HTB) scheduling algorithm can lead to a NULL pointer dereference. This issue arises when the HTB scheduler's dequeue process interacts with a 'blackhole' qdisc, which drops packets. The resulting state causes the HTB scheduler to encounter an empty red-black tree, triggering a BUG_ON assertion failure.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, leading to a denial of service.

Reproduction

The vulnerability can be reproduced by deleting the default HTB qdisc on the loopback interface and then re-adding it. After adding a 'netem' qdisc, which introduces packet loss, a 'blackhole' qdisc can be added to drop packets. This sequence of actions causes the HTB scheduler to improperly handle the empty queue state, leading to the NULL pointer dereference.

Remediation

The vulnerability has been fixed in the Linux kernel by modifying the HTB scheduler to return NULL instead of triggering a BUG_ON assertion when encountering an empty red-black tree.